In the above, the six EC2 instances in the VPC aren't internet facing, however, they have communication to a single instance that is and are using it to route local traffic to Datadog via 443 TCP.

In the above, the six physical servers in the data center aren't internet facing, however, they have communication to a single instance acting as a proxy that is open and may be used to route local traffic (one way) from the hosts out to Datadog via 443 TCP/HTTPS for external communication.